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METHOD AND SYSTEM FOR WEB -BASED DCE MANAGEMENT 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This is a divisional application of U.S. Patent 
Application Serial Number 08/889,727, filed July 08, 
1997, now allowed, titled "Web-Based DCE Management" 



BACKGROUND OF THE INVENTION 



10 1. Field of the Invention 

The present invention relates to an improved data 
processing system and, in particular, to a method and 
system for administration and management of computer 
resources in a distributed computer network. 

15 

2. Description of Related Art 

The burdens on computer network administrators have 
been rapidly growing both in volume and in complexity. 
Chief among these burdens is the need for corporate 

20 administrators to manage their so-called "Distributed 

Computing Environment" cells. DCE is a known distributed 
environment that has been widely implemented using 
software available from the Open Systems Foundation 
(OSF) . In a distributed computing environment, a group 

25 of machines is typically referred to as a "domain." An 

OSF DCE domain is called a "cell." A DCE cell is often a 
complex environment involving hundreds of machines in 
many locations. 

DCE offers many management challenges to the network 

30 administrator. The management tasks are quite broad in 
scope, ranging from defining new accounts to retrieving 
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the status of DCE servers. In the past, there has not 
been a convenient user interface by which the 
administrator can perform these various management tasks 
in an efficient, consistent and reliable manner. For 
example, to define a DCE account, the administrator must 
create a DCE principal, add the principal to a group, add 
the principal to an organization, and then finally create 
the account. This operation requires access to multiple 
display menus and entry of numerous commands. As another 
example, it is important for the network administrator to 
be aware of the current status of all DCE servers in the 
environment. Known DCE management interfaces do not 
provide simple graphical presentation of server status, 
and thus administrators cannot easily retrieve 
information about them so as to facilitate and execute 
management actions. As a result, known DCE management 
schemes presently implement complex, text-based 
management interfaces that include unnecessary 
information that complicates the efficient management of 
DCE cells. 

The present invention addresses this important 
problem. 
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SUMMARY OF THE INVENTION 

It is a primary object of the invention to simplify 
the administration and management of DCE cells. 
5 It is another primary object of the invention to 

provide for graphical -based administration of a DCE cell. 

It is a further primary object to overlay a 
GUI-based interface over a command line interface by 
exploiting the known relationships between underlying 
10 objects and actions in the CLI interface. 

It is a more general object of the invention to 
allow Web browser-based administration of a set of 
networked computers connecting in a distributed 
environment . 

15 Yet another more specific object of this invention 

is to provide for DCE Web-based administration of a cell 
to allow network administrators to manage DCE cells from 
any secure World Wide Web or Internet client machine. 

It is another object of the invention to enhance the 

20 consistency, simplicity and portability of DCE cell 

management and thereby enable network administrators to 
easily retrieve information on a DCE cell and execute 
management actions against such information. 

Another more specific object of this invention is to 

25 provide a streamlined graphical user interface for DCE 
cell management to thereby reduce information overload 
during network administration. 

Still another object of the invention is to take 
advantage of Web browser "frames" to present a network 

30 administrator with complementary input and output 
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information between which the administrator may navigate 
to effect different management actions. 

Another object is to enable the network 
administrator to easily determine the status of any DCE 
5 server in the environment. 

The present invention takes advantage of a known Web 
browser mechanism and existing DCE interfaces to 
facilitate and simplify management of DCE cells. In the 
preferred embodiment, administration may be performed 

10 from any secure Web browser acting as a client. 

Management data is typically supported on a target Web 
server. At the browser, CGI scripts are used to dynamic 
generate HTML (hypertext markup language) pages based on 
the network administrator's selections and the current 

15 state and defined objects in the DCE cell. The result is 
a robust and efficient Web-based DCE management scheme 
that provides significant advantages over the simple 
text-based and other known interfaces of the prior art. 
The Web-based interface design of the invention is 

20 hierarchical, starting with a logon page that allows the 
administrator to log into the cell that includes the 
target Web server. After logon, the administrator 
proceeds to a DCE Web Administration main menu from which 
a number of management actions may be launched including 

25 DCE command line operations (using the DCECP function) , 
server status inquiries, and "fast path" tasks. 
Hyperlink references are provided to facilitate 
navigation options. From the DCECP Commands hyperlink, 
the administrator proceeds to a table display of the main 

30 functions available in DCECP, which include registry 
groupings of principals, groups, organizations and 
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accounts. Management functions are facilitated using a 
dual frame display whenever information is input by the 
administrator in one frame while management data is 
simultaneous output in another frame. Preferably, 
5 form-based information is received in the first frame of 
the display. This frame technique maximizes interaction 
and feedback to the administrator, who would otherwise 
have to switch back and forth between the forms page and 
the output page to analyze the impact of administrative 

10 actions using the DCECP command functions. 

The upper frame of the interface is preferably 
subdivided into a number of display areas. In a command 
line interface, there are predetermined relationships 
between underlying objects and actions that make up the 

15 interface. A first display area of the upper frame of 

the invention displays a graphical representation of the 
CLI object/action hierarchy. Hyperlinks associated with 
the elements in the representation present the 
administrator with simple navigation options. A second 

20 display area includes a form by which the user types in, 
selects and/or checks information associated with a 
particular obj ect /act ion relationship. A third display 
area may be used to display control elements. According 
to the invention, the user may navigate (within the first 

25 display area) between actions associated with the same 

object, in which case the interface preferably retains in 
the second display area a last context selected by the 
user. The user may also navigate within the first 
display area) to new objects, in which case the interface 

30 preferably refreshes the second display area as needed to 
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illustrate a new context between the new object and its 
associated actions. 

The foregoing has outlined some of the more 
pertinent objects and features of the present invention. 

5 These objects should be construed to be merely 

illustrative of some of the more prominent features and 
applications of the invention. Many other beneficial 
results can be attained by applying the disclosed 
invention in a different manner or modifying the 

10 invention as will be described. Accordingly, other 

objects and a fuller understanding of the invention may 
be had by referring to the following Detailed Description 
of the Preferred Embodiment. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

5 The novel features believed characteristic of the 

invention are set forth in the appended claims. The 
invention itself, further objectives, and advantages 
thereof, will be best understood by reference to the 
following detailed description when read in conjunction 
10 with the accompanying drawings, wherein: 

Figure 1 is a representative system in which the 
present invention is implemented; 

Figure 2 is a representative display screen showing 
a DCE logon Web page; 
15 Figure 3 is a flowchart illustrating the basic 

operation of the hierarchical display interface according 
to the present invention; 

Figure 4 is a representative display screen showing 
a DCE Server Status Web page; 
20 Figure 5 is a representative display screen 

illustrating the DCECP Command Main Menu Web page; and 

Figure 6 is a representative display screen 
illustrating a DCECP Account Show Web page* 



25 
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DETAILED DESCRIPTION OF THE INVENTION 



A representative system in which the present 
invention is implemented is illustrated in Figure 1. A 
5 client machine 10 is connected to a Web server platform 
12 via a communication channel 14. For illustrative 
purposes, channel 14 is the Internet, an Intranet or 
other known network connection. Client and server, in 
turn, are located within a DCE domain or "cell", which is 

10 generally a set of connected machines that share a single 
namespace. Web server platform 12 is one of a plurality 
of servers which are accessible by clients, one of which 
is illustrated by machine 10. It supports files in the 
form of hypertext documents and objects. 

15 A representative client machine includes a browser 

16, which is a known software tool used to access the 
servers of the network. Representative browsers that 
support frames include, among others, Netscape Navigator, 
Microsoft Internet Explorer or the like, each of which 

20 are "off-the-shelf" or downloadable software programs. 

The Web browser 16 implements display "frames." A frame 
is a dedicated region or area of the browser display 
screen which includes separate display control elements 
such as scroll bars and the like. In the preferred 

25 embodiment, a "dual" frame approach is used, however, 

this is merely exemplary as any number of frames may be 
used in the DCE management interface. 

A representative Web Server platform 12 comprises an 
IBM RISC System/6000 computer 18 (a reduced instruction 

30 set of so-called RISC-based workstation) running the AIX 
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(Advanced Interactive Executive Version 4.1 and above) 
Operating System 20 and a Web server program 22, such as 
Netscape Enterprise Server Version 2.0. The platform 12 
also includes a graphical user interface (GUI) 24 for 
5 management and administration. While the above platform 
is useful, any other suitable hardware/operating 
system/Web server combinations may be used. 

The DCE cell includes a number of services 
including, among others, a Security Service 52. The DCE 

10 cell may use so-called DCE Kerberos-based authentication. 
A UNIX "credential" is associated with each operation and 
holds the local authentication information for that 
operation. In particular, a credential is a data 
structure defining a particular machine (or a user on a 

15 multi-user machine) . The credential typically includes a 
user id, a group id, optionally a list of operating 
system privileges, and an authentication identifier known 
as a PAG (Process Authentication Group) . The PAG acts as 
a tag for associating "tickets" between clients and the 

20 DCE Security Server 52. When users authenticate via the 
DCE Login facility, known as dce_login, the DCE Security 
Service interacts with the client (across the network) 
through a setpagO interface to establish the PAG/ticket 
relationship in the process's credential. When a user 

25 (at a client machine) has properly authenticated via a 

DCE login, the credential is retained at each end of the 
connection. 

According to the present invention, administrators 
manage the DCE cell from any secure Web browser, such as 
30 browser 16 shown in Figure 1. In the preferred 

embodiment, the preferred interface is hierarchical. It 
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may start with a logon page that allows DCE cell 
administrators and other users to log into the DCE cells 
that includes the target Web server. A representative 
logon page is illustrated in Figure 2. It includes a 
5 fill-in form comprising a Userid field 60, a Password 
field 62, a Submit button 64 and a Reset button 66. 
Faced with this screen, the administrator may decline to 
logon but, in such case, he or she would be limited in 
which functions may be performed later. As noted above, 

10 the display is located within a Web browser window 65. 
It may thus be considered to be a Web page. 

Figure 3 is a flowchart illustrating the basic 
operation of the hierarchical display interface according 
to the present invention. At step 70, the logon page as 

15 illustrated in Figure 2 is displayed. Thereafter, the 

user enters the userid and password at step 72 . A check 
is then made at step 74 to determine whether the user can 
be authenticated. If the user cannot be authenticated, 
which is indicated by a negative outcome of the test at 

20 step 74, the routine continues at step 76 to restrict the 
user's access to the DCE management tasks. If, however, 
the user can be authenticated, the routine continues at 
step 78 to display a DCE Web Administration main menu. 
The main menu generally includes a list of high level 

25 management operations such as "DCE Fast Path, " "DCE 

Server Status" and "DCECP Commands . " These operations 
(and their associated commands are merely 
representative). At step 80, a test is performed to 
determine whether the administrator has selected the DCE 

30 Fast Path command. Such selection may be accomplished by 
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clicking on a hypertext reference link associated with 
the command line, in a known manner. If the 
administrator has selected the DCE Fast Path command, the 
routine branches to step 82 to provide a new Web page 

5 from which a DCE Fast Path command may be implemented. 
Fast Path commands allow the administrator to 
perform commonly used tasks in one step that usually 
require multiple steps. For example, the DCE Fast Path 
Tasks page provides the administrator with a link to a 

10 form where the administrator can define an account in one 
step without forcing the administrator to first create 
the principal, add the principal to a group, add the 
principal to an organization, and finally create the 
account. Of course, defining an account is merely one 

15 "Fast Path" task that may be implemented. 

If the outcome of the test at step 80 is negative, a 
test is then performed at step 84 to determine whether 
the administrator has selected (e.g., via activating a 
hypertext link) the DCE Server Status command from the 

20 main menu Web page. If so, the routine branches to step 
86 to provide a display showing what servers are 
installed in the DCE cell and their current status. 
Figure 4 represents the Web page display. As 
illustrated, the page is maintained within the Web 

25 browser window and includes a first table 88 showing the 
"Configuration Status" of DCE Servers and a second table 
90 illustrating their "Process Status." The information 
is provided in a convenient, easy- to-understand format 
that may be readily accessed and used by the 

30 administrator. In particular, the information is 

presented in a manner expected by the administrator and 
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without unnecessary data or other noise. Although not 
illustrated in detail, it should be appreciated that the 
mechanism also enables the administrator to obtain other 
attributes about the servers (e.g., such as which 
5 hostnames they reside on) as may be convenient. 

Turning back to the operational flowchart of Figure 
3, if the outcome of the test at step 84 is negative, 
then it is assumed (if a selection has been made) that 
the user has selected the DCECP Commands entry in the 

10 main menu. Such selection, as noted above, may be 

effected by clicking on a hypertext link. This causes 
the routine to branch to step 92. at this point, the 
administrator proceeds to a new Web page illustrating a 
table display of the main functions available in DCECP. 

15 DCECP is a known administrative interface for performing 
DCE management tasks. An exemplary page is shown in 
Figure 5. According to the present invention, the DCECP 
main menu Web page utilizes frames. 

As shown, the Web browser has first and second 

20 frames 94 and 96, each of which includes its own set of 
control bars, in a known manner. The first and second 
frames could be side-by-side as opposed to one above the 
other. The relative size of the first and second frames 
may be different, and a different number of frames may be 

25 used. In this embodiment, the upper frame 94 includes 
the DCECP main menu table 100, and the lower frame 96 
includes a display of management data (in this case a 
Help screen showing a DCECP object listing) . The main 
menu table 100 is organized into a defined hierarchy with 

30 the various registry objects including account and 

principal. The group and organization objects, among 
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others, are not shown. Although not illustrated, a DCE 
principal may belong to many groups but typically just 
one "primary" group. Likewise, a DCE organization may 
belong to many organizations but typically just one 

5 primary organization. As can be seen, the registry 
object called "account" has a number of "actions" 
associated therewith: catalog, create, delete, generate, 
modify and show, and the registry object called 
"principal" has its associated action set. Each of the 

10 actions in a given set has associated therewith a 

hypertext link. Typically, the actions are operations 
that are common to more than one object (although this is 
not required) . When the user moves the mouse pointer 
over the link, the link target is displayed in the Status 

15 bar 105. Activation (i.e. selection) of a link on the 
Web page generates an HTML request in a known manner. 

Generalizing, in the DCECP command line interface, 
there are predetermined "relationships" that exist 
between the underlying objects and their actions. A 

20 detailed description of these relationships is beyond the 
scope of the present invention, however, the inventive 
interface takes advantage of the known relationships 
between the underlying objects and actions to create a 
robust mechanism for presenting and manipulating 

25 information on top of a command line interface (CLI) such 
as DCECP. This is illustrated in Figure 6 by way of 
example. Figure 6 is a multi-frame Web page displayed 
when the administrator selects the account show action 
from the main menu table displayed in Figure 5. 

30 The upper frame comprises several areas, and the 

relative positions of each area as shown is merely 
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illustrative, at the top of the frame (just below the 
title line) , a data structure 110 is displayed in a first 
display area 109. Data structure 110 is a graphical 
representation of a hierarchy of the CLI interface and 

5 thus illustrates the known "relationships" between the 
various objects and their actions. In this 
representative embodiment (involving the DCECP CLI) , the 
hierarchy comprises the DCECP main menu entry 111, a 
registry objects entry 112 including a set of registry 

10 objects each separated by [ ] , and actions entry 114 

including a set of actions each separated by [ ] * The 
graphical representation may take on other forms (such as 
the display of icons or other graphical devices) 
representing the various objects and actions. 

15 Preferably, each "element" of the representation includes 
a hypertext link associated therewith so that (in the 
context of a Web page) the particular object or action 
may be selected by a conventional point and click or 
other input method. If an element of the hierarchy is 

20 being currently displayed, it is typically highlighted 
(e.g., by bolding) . 

The DCECP command Web page upper frame also includes 
a second display area 115 located between a pair of 
display elements 118 and 120. Display area is variable 

25 and may include many different types of elements. 

Typically, this area includes a "form" displaying a set 
of elements (e.g., object names, account names, lists of 
attributes associated with objects, etc.) and an active 
control such as a scroll bar or other known device. In 

30 this particular example, the display area includes a 

listbox 116, although it should be appreciated that the 
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actual graphical device (i.e. the form) displayed in area 
115 will typically vary as the user undertakes to move 
through the hierarchy by pointing and clicking on the 
links . 

5 The upper frame may also include a third display 

area 121 underlying the second display area 115. In 
general, display area 121 includes one or more dialog 
boxes, checkboxes and/or control buttons, for example, to 
facilitate the "execution" of the variable form 

10 information entered in the second display area 115. 

Thus, the Execute button packages the form information - 
whatever the user types in, selects and/or checks - in 
the display area 115, and passes it to the Web server for 
execution (typically via a CGI script) . The resulting 

15 output or error information may then be displayed in the 
bottom frame. Additional controls may also be included 
in the third display area 121. For example, the Reset 
button sets all the variable form controls back to their 
initial values. A Debug checkbox allows the 

20 administrator to gain additional output in the bottom 
frame, such as the format and type of CGI parameters 
passed to the server. A Verb Help checkbox provides 
verbose textual help when the administrator selects the 
button. These controls are merely representative. 

25 According to the present invention, the interface 

takes advantage of the existing object and action 
relationships of the CLI interface as such 
representations are set forth in the data structure 110. 
When the administrator moves from a first action to a 

30 second action associated with the same object, the 

interface retains (as a default) whatever last "context" 
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exists in the second display area. Thus, for example in 
Figure 6, the first action is "show" (which is bolded) 
and the object is "account." The predetermined 
relationship between the "account" object and the "show" 
5 action requires a listbox 116 of account names to be 

displayed in the second area (since the DCECP CLI syntax 
returns a list of account names as an argument to the 
account show command) . The display illustrates the 
administrator selecting cell_admin from the list of 

10 accounts in the DCE cell, checking the "all" option, and 
pressing the "Execute" button in the top frame. In 
response, an HTML request is issued to the target Web 
server to which the secure Web client is connected. A 
management task is effected at the Web server (preferably 

15 via a CGI script) , and the resulting management data is 
returned to the Web client and displayed in the bottom 
frame. The bottom frame shows the results of executing 
the action, which is all the attributes and values stored 
on the cell_admin account object. 

20 Now, as discussed above, it is assumed that the 

administrator moves from the "show" action to the 
"modify" action. In other words, the administrator has 
moved between actions for the same object (in this case, 
the "account" object) . The first action may be 

25 considered a currently selected action and the new action 
may be considered a target action. In the preferred 
embodiment, the listbox 116 in the second display area 
remains persistent, as the interface defaults to the last 
context used by the administrator. Thus, the interface 

30 infers that the administrator desires to modify the 
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properties of cell_admin, although the administrator may 
select some other account name. 

Instead of just moving between actions for a given 
object, the administrator may desire to move to a new 
5 object. In the example shown in Figure 6, this operation 
would be effected by the administrator pointing and 
clicking on another registry object (sometimes referred 
to as a "target") in line 112 of the hierarchy. In this 
case, the existing relationship between the target object 

10 and the currently-selected action may (or may not) 
dictate an alternate display element in the second 
display area. If, as a result of this relationship, a 
new display element is required, the display area 115 is 
refreshed with a new form or other required element. The 

15 display area 115 thus displays a given "context" 

associated with a given object and a given action. Thus, 
for example, if the administrator were to click on the 
group link in Figure 6 (given that account and show were 
the current selections) , the group link would be 

20 highlighted (and the account link highlight removed) , the 
display area 115 would be refreshed with a new listbox 
including a list of "groups." This new listbox 
represents a new context. One of the groups (preferably 
the "primary" group of the previously selected account, 

25 by default) would be highlighted. New control buttons 

(associated with the new object/action relationship) will 
then be displayed in the third display area 121. The 
administrator then uses this newly-refreshed upper frame 
to continue the management operation. 

30 Generalizing, the upper frame of the interface 

(which may be the entire screen if desired) includes a 
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first display area in which is displayed a graphical 
representation of the CLI ob j ect/action hierarchy. 
Hyperlinks associated with the elements in the 
representation present the administrator with simple 
5 navigation options. A second display area includes a 
form by which the user types in, selects and/or checks 
information associated with a particular obj ect/action 
relationship. The user may navigate in the first display 
area between actions associated with the same object, in 

10 which case the interface preferably retains in the second 
display area a last context selected by the user. The 
user may also navigate in the first display area to new 
objects, in which case the interface preferably refreshes 
the second display area as needed to illustrate a new 

15 context between the new object and its associated 
actions . 

Thus, in the illustrated embodiment of Figure 6, the 
first entry 111 gives the administrator the chance to 
make a major traversal back up the administration tree by 

20 hopping back to the DCECP Main Menu Web page. This is 

accomplished as noted above by placing the cursor on the 
DCECP Main Menu link and clicking. Additional "major" 
navigation options may also be available on this line if 
desired. The second line (reference numeral 112) allows 

25 the administrator to navigate between related object 

groups. The third line (reference numeral 114) allows 
the administrator to navigate between actions on the same 
DCE object. 

Preferably, the DCE object and action navigation 
30 links for the elements being displayed are in bold and 

are not selectable on the page to which they are related. 
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This provides a further navigation clue, besides the 
title, regarding which action (s) the administrator can 
perform. The second and third navigation lines of the 
hierarchy 110 provide a powerful set of architectural 
5 links for administrators to quickly and easily perform 
different actions without having to traverse up and down 
a fixed hierarchy. As previously noted, preferably the 
contents of the bottom frame will not change until the 
Execute or Help buttons (in the third display area) are 

10 pressed. 

Preferably, the two frame design of Figure 6 is 
utilized whenever form-based information is needed and 
some output of management data may be generated. 
Generally, the top or upper frame displays the form that 

15 the administrator fills out in preparation of executing a 
given command or action, while the bottom frame shows the 
output of the command or action. In addition, most Web 
browsers allow users to copy or save text from either 
frame for inclusion in reports or other files. Thus, 

20 information set forth in the various frames may be copied 
into other documents and saved in a known manner. 

The use of browser frames in which command and 
actions, on the one hand, and management data, on the 
other hand, are manipulated, provides significant 

25 advantages in the context of a DCE management scheme. 

This approach maximizes interaction and feedback to the 
administrator. For example, the administrator can 
quickly select an account name from the list of accounts 
in the DCE cell in the top frame, press the Execute 

30 button at the bottom of the top frame and have the 
results appear in the bottom frame. To perform the 



20 

AUS 9-1997-0113- US 2 

action on another account, the administrator can follow 
the same steps without needing to switch pages. When the 
administrator switches to another action, such as from 
account catalog to account show, the top frame will 
5 change, but the contents of the bottom frame preferably 
will not change. This gives the administrator a chance 
to view the results of a previous action and make a next 
action based an observation of the previous results, all 
without having to switch to another page or interface. 

10 The present invention provides numerous advantages 

over the prior art. An existing secure Web browser can 
be used to manage DCE cells. The browser interface is 
well-known and easy to use. It affords a consistent and 
reliable means by which a network administrator can 

15 retrieve management information from a server in the DCE 
cell. Management is simplified by presenting information 
hierarchically and through exploitation of the known DCE 
object/action interfaces. Using Web-based CGI scripting, 
the tool reacts dynamically to administrator selections 

20 and the current state and defined objects in the DCE 
cell. The interface is highly streamlined and, 
typically, does not attempt to represent every DCE object 
as an icon or graphic on the Web page. 

The frame-based approach described in the preferred 

25 embodiment offers significant advantages. Without this 
design, the administrator would have to view the results 
of his or her administrative actions on a separate page 
and then switch back and forth between the forms page and 
the output page. Non- frame based Web browsers would also 

30 have to present their results in this way. 
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In the preferred embodiment, the DCECP command Web 
pages are not statically defined HTML pages (although 
they could be) . Instead, these command pages take 
advantage of CGI scripting to dynamically generate HTML 
5 pages based on the administrator's actions and 

selections. For example, in the illustrated embodiment 
discussed above, there is no n account_show. html " page per 
se. Rather, when the administrator selects the account 
show action, a CGI script builds the HTML page, filling 

10 in dynamic information, such as the current list of 

accounts in the DCE cell, and sends this information back 
to the secure Web browser client for presentation to the 
administrator. This implementation has many advantages 
in eliminating the need for multiple static Web pages. 

15 It also reacts to and presents changeable information in 
the cell. 

This Web-based design uses the DCE command line 
program, DCECP, to effect most of the administrator's 
tasks. This provides the administrator with a direct 

20 correlation between actions performed in the Web 

interface to commands and tasks that can be performed 
with DCECP on the workstation or via a telnet connection 
to the workstation. DCECP is not a required part of the 
design, however. The CGI scripts behind the Web pages 

25 may interface with a custom-built daemon to process the 
administrator-initiated commands . 

Another advantage is that inventive interface is 
portable to many versions of DCE since it uses the 
standard DCECP command line interface. It only needs to 

30 be recompiled, if implemented in a non-interpreted 

language, per operating system platform, not per version 
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of DCE. The interface is also portable to many Web 
servers since it is preferably implemented as CGI 
scripts, not as special plug-ins or additions to the Web 
server application. Moreover, in the preferred 
5 embodiment, the interface does not require Web client 

side changes. This enables any frame-enabled Web browser 
to be used. 

The present invention includes a "client" component 
resident on a computer configured as a secure Web client, 

10 and a "server" component resident on a computer 
configured as a target Web server. Management 
information is generally supported on the target Web 
server and is thus accessible to a user (e.g., a network 
administrator) operating the client machine after a logon 

15 in which a "credential" is maintained at each end of the 
Internet connection . 

The present invention is not limited to management 
of DCE "cells" either. One of ordinary skill in the art 
will appreciate that the inventive use of a Web-based or 

20 other graphical user interface may be implemented in any 
distributed computing environment (not merely OSF DCE) 
wherein it is desired to have an administrator manage 
client machines in secure manner using a CLI . Moreover, 
the set of DCE-based objects and actions are merely 

25 representative as well, and the present invention should 
be broadly construed to cover any interface that presents 
a set of objects and a set of actions and allows the user 
(e.g., an administrator) to select both an object and an 
action and then switch between respective objects or 

30 actions. The interface may be generalized to any display 
tool that presents the results of a prior-executed action 
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while allowing the user to select a new object and action 
to be executed. 

One of the preferred implementations of the 
Web-based DCE management scheme of the invention is as a 
5 set of instructions (program code) in a code module 

resident in the random access memory of the computer. 
Until required by the computer, the set of instructions 
may be stored in another computer memory, for example, in 
a hard disk drive, or in a removable memory such as an 

10 optical disk (for eventual use in a CD ROM) or floppy 
disk (for eventual use in a floppy disk drive) , or 
downloaded via the Internet or other computer network. 
In addition, although the various methods described are 
conveniently implemented in a general purpose computer 

15 selectively activated or reconfigured by software, one of 
ordinary skill in the art would also recognize that such 
methods may be carried out in hardware, in firmware, or 
in a more specialized apparatus constructed to perform 
the required method steps. 

20 As used herein, "Internet client" should be broadly 

construed to mean any computer or component thereof 
directly or indirectly connected or connectable in any 
known or later-developed manner to a computer network, 
such as the Internet. The term "Internet server" should 

25 also be broadly construed to mean a computer, computer 
platform, an adjunct to a computer or platform, or any 
component thereof. Of course, a "client" should be 
broadly construed to mean one who requests or gets the 
file, and " server" is the entity which downloads the 

30 file. It should also be appreciated that the present 

invention could be used to cache data and programs at a 
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local server serving a set of Internet clients from a 
master server to conserve network resources. 

It is important to note that while the present 
invention has been described in the context of a fully 
5 functioning data processing system, those of ordinary 
skill in the art will appreciate that the processes of 
the present invention are capable of being distributed in 
the form of instructions in a computer readable medium 
and a variety of other forms, regardless of the 

10 particular type of signal bearing media actually used to 
carry out the distribution. Examples of computer 
readable media include media such as EPROM, ROM, tape, 
paper, floppy disc, hard disk drive, RAM, and CD-ROMs and 
transmission-type media, such as digital and analog 

15 communications links. 

The description of the present invention has been 
presented for purposes of illustration but is not 
intended to be exhaustive or limited to the disclosed 
embodiments. Many modifications and variations will be 

20 apparent to those of ordinary skill in the art. The 

embodiments were chosen to explain the principles of the 
invention and its practical applications and to enable 
others of ordinary skill in the art to understand the 
invention in order to implement various embodiments with 

25 various modifications as might be suited to other 
contemplated uses. 



25 



AUS9-1997-0113-US2 

CLAIMS 

What is claimed is: 

1. A method of effecting management tasks in a 
5 distributed computing environment cell having at least 
one Web client with a browser connectable to a Web 
server, the distributed computing environment including a 
security service, comprising the steps of: 

authenticating a user of the Web client by returning 
10 a credential from the security service; 

responsive to user actions, displaying a plurality 
of Web pages in the browser from which the authenticated 
user manages the distributed computing environment cell; 
and 

15 managing the distributed computing environment cell 

from the Web browser. 



2. The method of claim 1 wherein upon authentication of 
the user, an administration main menu Web page of the 

20 sequence of Web pages is displayed. 

3. The method of claim 2 wherein the administration 
main menu Web page includes hypertext links associated 
with management command options. 

25 

4. The method of claim 3 wherein the step of managing 
the distributed computing environment cell is initiated 
by selecting one of the hypertext links associated with a 
management command option. 
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5, The method of claim 4 wherein the management command 
option calls a fast path task Web page from which the 
authenticated user performs multiple step administrative 
tasks with a single action. 

5 

6. The method of claim 4 wherein the management command 
option calls a server status Web page from which the 
authenticated user may view server status information. 

10 7. An apparatus for effecting management tasks in a 
distributed computing environment cell having at least 
one Web client with a browser connectable to a Web 
server, the distributed computing environment including a 
security service, the apparatus comprising: 

15 authenticating means for authenticating a user of 

the Web client by returning a credential from the 
security service; 

first displaying means for displaying, responsive to 
user actions, a plurality of Web pages in the browser 

20 from which the authenticated user manages the distributed 
computing environment cell; and 

managing means for managing the distributed 
computing environment cell from the Web browser. 

25 8. The apparatus of claim 7 wherein the first 
displaying means further comprises: 

second displaying means for displaying, upon 
authentication of the user, an administration main menu 
Web page of the plurality of Web pages. 
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9. The apparatus of claim 8 wherein the administration 
main menu Web page includes hypertext links associated 
with management command options. 

5 10. The apparatus of claim 9 further comprising: 

initiating means for initiating management of the 
distributed computing environment cell by selecting one 
of the hypertext links associated with a management 
command option. 

10 

11. The apparatus of claim 10 wherein the management 
command option calls a fast path task Web page from which 
the authenticated user performs multiple step 
administrative tasks with a single action. 

15 

12. The apparatus of claim 10 wherein the management 
command option calls a server status Web page from which 
the authenticated user may view server status 
information. 
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13. A computer program product on a computer readable 
medium for use in a data processing system for effecting 
management tasks in a distributed computing environment 
cell having at least one Web client with a browser 

5 connectable to a Web server, the distributed computing 
environment including a security service, the computer 
program product comprising: 

instructions for authenticating a user of the Web 
client by returning a credential from the security 
10 service; 

instructions for displaying, responsive to user 
actions, a plurality of Web pages in the browser from 
which the authenticated user manages the distributed 
computing environment cell; and 
15 instructions for managing the distributed computing 

environment cell from the Web browser. 

14. The computer program product of claim 13 wherein the 
instructions for displaying further comprise: 

20 instructions for displaying, upon authentication of 

the user, an administration main menu Web page of the 
plurality of Web pages. 

15. The computer program product of claim 14 wherein the 
25 administration main menu Web page includes hypertext 

links associated with management command options. 
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16. The computer program product of claim 15 further 
comprising : 

initiating means for initiating management of the 
distributed computing environment cell by selecting one 
5 of the hypertext links associated with a management 
command option. 

17. The computer program product of claim 16 wherein the 
management command option calls a fast path task Web page 

10 from which the authenticated user performs multiple step 
administrative tasks with a single action. 

18. The computer program product of claim 16 wherein the 
management command option calls a server status Web page 

15 from which the authenticated user may view server status 
information . 
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ABSTRACT OF THE DISCLOSURE 
METHOD AND SYSTEM FOR WEB -BASED DCE MANAGEMENT 

5 A frames-based Web browser is used with existing 

distributed computing environment (DCE) interfaces to 
facilitate and simplify management of DCE cells. In the 
preferred embodiment, administration may be performed 
from any secure Web browser acting as a client. 

10 Management data is typically supported on a target Web 
server. At the browser, CGI scripts are used to 
dynamically generate HTML (hypertext markup language) 
pages based on the network administrator's selections and 
the current state and defined objects in the DCE cell. 

15 The result is a robust and efficient Web-based DCE 
management scheme . 
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identified specification, including the claims, as amended by any amendment referred to 
above. x 

! acknowledge the duty to disclose information which is material to the patentability 
of this application in accordance with Title 37, Code of Federal Regulations, §1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, §119 
of any foreign application(s) for patent or inventor's certificate listed below and have also 
identified below any foreign application for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 

Prior Foreign Application(s): Priority Claimed 

Yes No 

(Number) (Country) (Day/Month/Year) 
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I hereby claim the benefit under Title 35, United States Code, §120 of any United 
States application(s) listed below and, insofar as the subject matter of each of the claims 
of this application is not disclosed in the prior United States application in the manner 
provided by the first paragraph of Title 35, United States Code, §112, 1 acknowledge the 
duty to disclose information material to the patentability of this application as defined in 
Title 37, Code of Federal Regulations, §1.56 which occurred between the filing date of 
the prior application and the national or PCT international filing date of this application: 



(Application Serial #) (Filing date) (Status) 

I hereby declare that all statements made herein of my own knowledge are true 
and that all statements made on information and belief are believed to be true; and 
further that these statements were made with the knowledge that willful false statements 
and the like so made are punishable by fine or imprisonment, or both, under Section 1 001 
of Title 18 of the United States Code and that willful false statements may jeopardize the 
validity of the application or any patent issued thereon. 

POWER OF ATTORNEY: As a named inventor, I hereby appoint the following 
attorneys and/or agents to prosecute this application and transact all business in the 
Patent and Trademark Office connected therewith. 

John W. Henderson, Jr., Reg. No. 26,907; William T. Ellis, Reg., No. 26,874; 
Thomas E. Tyson, Reg. No. 28,543; Robert M. Carwell, Reg. No. 28,499; Richard A. 
Henkler, Reg. No. 39,220; Jeffrey S. LaBaw, Reg. No. 31,633; Douglas H. Lefeve, Reg. 
No. 26,193; David A. Mims, Jr., Reg. No. 32,708; Mark S. Walker, Reg. No. 30,699; 
Casimer K. Salys, Reg. No. 28,900; Volel Emile, Reg. No.39,969; Christopher A. Hughes, 
Reg. No. 26,914; Edward A. Pennington, Reg. No. 32,588; John E. Hoel, Reg. No. 
26,279; Joseph C. Redmond, Jr., Reg. No. 18,753 and David H. Judson, Reg. No. 
30,467. 

Send correspondence to: David H. Judson, Hughes & Luce, L.L.P., 1717 Main 
Street, Suite 2800, Dallas, Texas 75201 and direct all telephone calls to Mr. Judson at 
214/939-5672. 
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FULL NAME OF FIRST INVENTOR 
INVENTOR'S SIGNATURE: 




DATE: 

RESIDENCE: 

CITIZENSHIP: 

POST OFFICE ADDRESS: 



Theodore Jack London SHRADER 



May 22. 1997 

Cedar Park, TX 

United States 

1704 Shady Brook Lane 
Cedar Park, TX 78613 



FULL NAME OF SOLE OR SECOND INVENTOR: _ 
INVENTOR'S SIGNATURE: J f^jS^. 

DATE: May 2 ±. 1997 



Richard Jay COHEN 



RESIDENCE: 

CITIZENSHIP: 

POST OFFICE ADDRESS: 



7613 Waldon Drive 
Austin, TX 78750 

United States 

7613 Waldon Drive 
Austin, TX 78750 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re application of: Shrader et al. § Group Art Unit: 2773 

§ 

Serial No.: Unknown (Divisional of 08/889,727) § Examiner: Sax 

§ 

Filed: (Herewith) § Atty. Docket No.: AUS9-1997-0113-US2 

§ 

For: Method and System for Web-Based DCE § 
Management § 

ASSOCIATE POWER OF ATTORNEY 

Hon. Assistant Commissioner of Patents 
Washington, D.C. 20231 



I hereby appoint Joseph R. Burwell, Reg. No. 44,468 as associate attorney to prosecute the 
above-identified application and transact business in the U.S. Patent and Trademark Office 
connected herewith. 



Date: 




IBM Corporation 
1 1400 Burnet Road -- 4054 
Austin, Texas 75758 
voice: (512) 823-0494 
fax: (512) 823-1036 
Attorney for Applicant 
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